SingleID Authentication Authentication useone SDA campus link implementation
SingleID Authentication Authentication useone SDA campus link implementation
Overview
Recently, employees are performing work not only in the office but also in various environments such as remote work, field assignments, and mobile offices, causing corporate network environments to change rapidly. Accordingly, network infrastructure is also being flexibly transitioned to an SDN(Software-Defined Networking) based architecture.
In this changing environment, applying EAP‑TLS authentication, which offers high security and stability for network authentication, requires certificate issuance and distribution management. Therefore, an environment that can comprehensively support certificate management is needed.
In this document, we introduce a solution that uses SingleID’s PrivateCA to distribute user certificates and implement network EAP‑TLS authentication in order to meet these requirements.
What is EAP-TLS authentication?
It is an authentication method that securely verifies the identities of the user and the server when connecting to a network. The user is authenticated by the server through a user certificate, and the server provides trust to the user via a server certificate. All communication data is encrypted during transmission, offering a high level of security that safely protects even sensitive information.
Architecture Diagram
After the user connects to the corporate network, they log in with a shared account. Then, according to the Cisco ISE policy, the SingleID web page is launched automatically.
You can download the certificate distribution program from the SingleID website.
After running the certificate distribution program and completing ID and OTP authentication, the device receives a CA certificate, a server certificate, and a personal certificate, and the wireless network profile policy is applied simultaneously.
After the user reconnects to the network, certificate-based authentication via ISE is performed, and the VLAN is automatically assigned based on the user information contained in the certificate.
Once the connection is complete, the user can use the network that matches their group policy.
Use Cases
User group-based network access control
You can finely configure network access permissions based on user groups. For example, you can categorize users as employees, partners, or visitors and restrict access so that each group can only access the resources appropriate for them.
Through this, you can comply with the organization’s security policies, strengthen data protection and access control. Additionally, because group policies can be managed and applied centrally, efficient policy management is possible.
Support same VLAN when moving between workplaces
Users can maintain a consistent network environment by being assigned the same VLAN even when moving between multiple office locations within the company. This enables users to access the same network services and resources at all locations without any additional configuration.
Since no additional configuration is required when changing locations, user convenience is greatly improved, and the administrator’s network management efficiency also increases.
Certificate authentication and certificate deployment/management integration
It enables users to perform network authentication while automatically distributing and managing the required certificates. Users can use the deployed certificates to authenticate to the network, and when user information changes, reissuing the certificate automatically applies the updated network settings.
In other words, certificate distribution, network authentication, and permission enforcement are provided as a single integrated workflow.
Prerequisites
Network communication between the user PC and SingleID must function properly. This is a prerequisite for certificate issuance.
If this communication path is not secured, identity verification may not function properly in the certificate issuance program.
Constraints
SDN(Software-Defined Networking) devices can be used with Cisco ISE(Identity Services Engine).
For other cases where integration with SDN equipment is required, prior consultation is necessary.
Considerations
Prior consultation with the technical support staff is required for user information included in the certificate’s subject alternative name.
Related service
This is a list of Samsung Cloud Platform services that are related to the features or configurations described in this guide. Refer to it when selecting and designing services.
| service group | service | Detailed description |
|---|---|---|
| Security | SingleID | Security service that provides unified authentication (AM), account management (IM), multi-factor authentication (MFA), abnormal behavior detection (ADM), and cloud access management (CAM) |
| Networking | VPN | A service that connects the customer’s network to the Samsung Cloud Platform via an encrypted virtual private network. |